When it comes to passwords, keep it simple, but not too simple

We humans are a wonderful species, but – let’s face it – we’re flawed. We sometimes belch in public. Our once rock-hard abs surrender to gravity’s persuasions. Hair migrates from places we want it to places we don’t. And we shy away from things that are difficult, boring, confusing, and inconvenient, even if they’re going to keep us safe, and perhaps even more vigorously if we know that they will keep us safe, just to give voice to our inner rebel.

So it is with our use of online passwords.

This doesn’t have to be rocket science. And it most certainly isn’t a task that should be delegated to one of the NSA’s favorite targets, as this truly misguided article suggests. Moreover, you don’t need to use a password manager like LastPass or KeePass. While those are wonderful tools and I’ve used them myself (particularly LastPass), they are not mobile-device friendly, which means, if you’re like lazy-human me, you’ll soon stop using them.

So, if I’m advising you not to depend on Google or Facebook to log you into sites and not to use a password manager like LastPass, how, then, can you manage your passwords for all the various sites and applications you use?

Certainly, you SHOULD NOT use the same password for every site. That’s the deadliest of the world’s deadly sins. More than that, it’s just dumb. I don’t care how much self-loathing you have or how much you fancy yourself a rebel. Do not use the same password for every site.

My advice is to keep things almost as simple. Instead of choosing the same password for every site, choose the same password pattern for every site. Here’s the pattern I follow.

Start with a string of characters that is easy for you to remember. It should consist of a combination of letters, numbers, and, if possible, special characters like punctuation. This same string will be used for every password you create.

Append to this common string a special character, such as an exclamation point or a dollar sign or a hash mark. This special character will separate your common string from the next part of your password. You’ll use the same separator character for every password you create.

Here comes the part that is unique to each site you visit. Derive from the address of the website a sequence of characters that are specific to that website’s address using a recipe that you can remember. For example, your recipe might be to take the second and fourth characters of the website’s address, capitalizing the second character. So, for example, if the website is Facebook, this part of your password would be Ae. Notice: per the recipe, I’ve extracted the second and fourth characters of the name of the site, capitalizing the second. You’d use that same recipe for every site you visit.

Let’s put this all together now. Suppose your common password string is FtatRWsY1981 (a passphrase that might celebrate, for example, AC/DC’s For Those About to Rock We Salute You album from 1981). Suppose you’ve chosen your separator character to be a hash sign (#). Then, if your recipe for setting the website-specific part of our password is to choose the second and fourth characters of the website name, capitalizing the second, then, your passwords for some common sites would be as follows:

Facebook: FtatRWsY1981#Ae

Google: FtatRWsY1981#Og

Twitter: FtatRWsY1981#Wt

There you have it: a strong, unique, easy-to-remember password for every site you visit. It’s almost as simple as using the same password for every site or having Facebook or Google manage all your logins for you. But it has the added benefit that you won’t have to turn in your proud-to-have-a-brain club membership card.

You’ve kept it simple, but not too simple. That’s the sweet spot most of the best security solutions reach.